Republican, aides suggest partisan motives in aftermath

Long day for Norm Coleman: Not only did Al Franken not rest his case Wednesday, the Democrat also picked up 14 votes. (Pioneer Press: Jean Pieri)

Former Sen. Norm Coleman's campaign didn't do enough to protect donors' confidential information, and Wednesday that lapse came home to roost as more than 4,700 partial credit card numbers were posted on the Internet.

As data-privacy and security experts criticized the campaign's handling of a confidential donor database, the Republican and his aides suggested partisan motives — and told donors they should cancel their credit cards.

The U.S. Secret Service was investigating, and Coleman's attorney Fritz Knaak said the state Bureau of Criminal Apprehension was aware of the situation. He and Coleman described the situation as theft.

It was unclear whether the campaign violated a state law by not disclosing until Wednesday — after the data surfaced on a self-described whistleblower Web site, posted anonymously — that the information, including entire credit card numbers, was vulnerable. A spokesman for Minnesota Attorney General Lori Swanson declined to comment.

No evidence could be found Wednesday that anyone had made unauthorized purchases or stolen anyone's identity, said Knaak and several donors interviewed by the Pioneer Press.

Politically, the developments appear to threaten Coleman's fundraising as he wages an expensive legal campaign to overturn Democrat Al Franken's 225-vote lead in the race for the Senate.

Advertisement

As of Wednesday, the campaign Web site no longer carried an option to donate online.

"It is obviously an attack on this campaign," Coleman said. "But beyond that, just in terms of the campaign and the effort, we are involved in a very expensive legal proceeding. Online fundraising is a very critical element of that, and clearly the theft of this information, the publication of this information, seriously undermines that."

As recently as late January, databases of thousands of Coleman's donors and assorted contacts sat on a public portion of the campaign's Web site. They were not password-protected, so a Minneapolis consultant was able to find them by essentially surfing the Web. And the credit card numbers weren't encrypted — a violation of credit card industry standards, according to several experts.

Kelly McShane, whose job is to secure information in the banking industry, said he learned that the last four digits of his American Express card — and the four-digit security code used to verify the card — were posted online when a reporter e-mailed him.

"I'm in IT security for a bank, and I can tell you that this is so ... irresponsible that I can't believe it," said McShane, who had donated $100 to the campaign online.

Credit card industry standards — via the Payment Card Industry Council, which includes representatives of major credit cards — dictate that credit card information should never be on the same server as a Web site, said Eric Schultze, chief technology officer for Shavlik Technologies, a Roseville-based computer-security company.

Moreover, he said, credit card numbers should be encrypted, or coded, so if a hacker were to gain access to the separate server, he or she would need to crack the code.

"Otherwise, you'd just see gobbledygook," Schultze said. "It's a big oops on the part of the Web site administrator, and I'd be surprised if that person still had a job. ... It's a rookie mistake. Anybody worth their salt would not set up a Web site that way."

Knaak would not say who set up the Web site as it was, but he said it was not a campaign staffer.

"It was a third-party provider, and right now I don't believe they are providing us service anymore," he said.

However, it's not clear the information posted online Wednesday was obtained when the data was so exposed, and that's Knaak's reasoning for using words like "breach" to describe the situation.

He said the campaign corrected the problem, and it's possible the campaign's system was hacked after that.

When pressed, he said, "Of course, the campaign feels some sense of responsibility." But he added, "We do not believe there's any liability on the part of the campaign."

The situation came to light Jan. 28, when Adria Richards, a Minneapolis consultant, found the databases and blogged about them. She described herself as "Democrat and liberal," but she said, "If this was the site of a Democrat, I still would have done it."

She said she did not download the data.

Knaak said the campaign learned about the vulnerability that day from a blog post, perhaps Richards'.

"We immediately contacted the feds and the state," he said. "They did a forensic examination of the server. They had a 'virtual certainty,' as I've been told, that there had been no download of the data and that none had been taken."

Thus, Knaak said, the campaign wasn't compelled to notify donors that their information had been out there.

The Web site that published the information — WikiLeaks.org — linked to it in e-mails to donors overnight. The site posted the information — including a list of more than 50,000 "supporters" of Coleman — on Wednesday but described it as being from Jan. 28.

The Web site describes itself as "a non-profit project, sponsored by transparency groups and investigative journalists world wide." No one affiliated with the Web site could be reached for comment.

At least some supporters were skeptical of it all.

"I think the timing of this is rather suspicious," said Bev Aplikowski, a former Arden Hills mayor who canceled her credit card after she learned it was in the donor data. "I do not believe Coleman's campaign is that lax — he's been around too long and is too smart. I think someone hacked it."